As vehicle technology continues to evolve, opportunities for malicious attacks will likely grow while vehicle cybersecurity lags behind.
Picture a day in the hopefully not-too-distant future when we're all back to our pre-pandemic routines. You're back to your morning commute, looking forward to picking up on your audiobook as you hop in the driver's seat and start your car.
But rather than the normal hum of the engine turning over, nothing happens. Well, not nothing. Your media console lights up with an ominous message: “This vehicle has been hijacked. To unlock your car, please forward one Bitcoin to the following address."
This scenario is a fictitious but entirely plausible account of just one of the emerging risks associated with vehicle hacking.
Think of vehicle hacking as a cyberattack targeting various access points in a connected vehicle—a vehicle that wirelessly communicates and shares data with other devices, platforms and internal and external networks and systems. Once a vehicle has been breached, an auto hacker can wreak all manner of havoc.
Vehicle hacks could include:
- Shutting down the car or truck and demanding a ransom to restart it.
- Commandeering the steering, braking, HVAC or other vehicle controls from the driver.
- Denial of service attacks that temporarily disable a vehicle.
- Encryption of personal or business data stored on, or accessed via, the connected vehicle.
As connected vehicle technology continues to evolve toward greater electronic control and wireless communication, the opportunities for malicious exploits will likely only grow. Every Bluetooth radio, telematics unit, tire pressure sensor or remote keyless entry built into a vehicle could become a potential vector for a crippling cyber intrusion.
By 2023 nearly 70% of light-duty vehicles and trucks sold globally are expected to feature internet connectivity and 76 million connected cars are projected to be sold in that same year, according to Statistica.
As connected vehicle technology proliferates rapidly, the state of vehicle cybersecurity doesn't appear to be keeping pace. The security status of internet-connected vehicles today “is pretty much the same as computers in the 1980s," according to industry expert Moshe Shlisel, CEO of GuardKnox Cyber Technologies, as quoted by the Detroit Free Press. It's a sobering assessment, especially when you consider how many cyberattacks are executed against computer systems that are often safeguarded by the most up-to-date technology.
Fleet owners may emerge as a particularly ripe target for vehicle hackers. As GuardKnox notes, “By invading the command and control of the fleet management system, a talented hacker could potentially shut down an entire fleet. While recent attacks indicate that hackers require about $500 to release a single vehicle, it would take a king's ransom to get all those trucks back into operation."
While vehicle hacking hasn't become as pervasive a real-world threat as computer hacking, vehicle manufacturers are already on notice. In 2015, one automaker was forced to recall 1.4 million vehicles following the revelation from security researchers that a vehicle series was vulnerable to remote takeover. The ubiquitous software updates that desktop and mobile computer owners are so accustomed to are now becoming routine for vehicles as well.
Risk transfer options must also keep pace with evolving vehicle technology. At Verisk, we've developed a new, optional auto hacking expense coverage endorsement and corresponding rating rule to help insurers address the insurance needs for vehicles equipped with connected vehicle technology.
As the road becomes target-rich for hackers, the insurance industry must stay ahead of this emerging risk by providing insurance coverage solutions that can help minimize and mitigate this 21st-century threat.
Andrew Blancher is director of commercial auto and emerging issues at Verisk.
This article was originally published in the Big “I" Virtual University.